How about swapping password rotation fatigue for real-time leak detection?

Hi there!

Traditional password rotation policies, while meant to enhance security, can lead to user fatigue and even weaker security as users struggle to keep up with frequent changes. Instead, real-time password leak detection offers a more effective and user-friendly approach. By actively monitoring for compromised credentials, real-time checks alert users the moment a password is detected in a data breach. This proactive approach minimizes disruption, enhances security, and provides peace of mind, all without the burden of constant password changes.
Is real-time leak detection the future of password management? What do you think?

Bitte markiere auch die Kommentare, die zur Lösung des Beitrags beigetragen haben

Content-ID: 669486

Url: https://administrator.de/contentid/669486

Ausgedruckt am: 21.11.2024 um 12:11 Uhr

13 Kommentare

Neuester Kommentar

Nah....How real-time is real-time? And who notices the data breach? If it's breached by capable people, it will take months for the breach to be discovered.
The problem is not the management of passwords, but the passwords themselves.

Spam Spam Spam ...

Yes, but he was stupid to put the link in. So you can just do it for him...

Quote from @kpunkt:

Yes, but he was stupid to put the link in.

It will come.

Quote from @catrell:

Quote from @kpunkt:

Yes, but he was too stupid to put the link in.

It will come.

The moderator monitors this 😉

The system checks passwords against a database of millions of known weak or leaked passwords. The process starts with locally hashing the user's password. Only the first five characters of the hash are then transmitted and a service compares this partial hash to its database and returns possible matches, allowing verification if the full hash is compromised locally.

So which system do you recommend?

We implemented this in the OpenOTP server, but the purpose of the post was to gather feedback on whether it would be beneficial for companies and users (for users for sure) to replace the traditional password rotation routine with this type of mechanism.

I told you so... self-promotion.

You asked, I replied.
Your comments aren't really relevant.

Other solutions, like Google and Apple, also offer similar features for personal accounts.
Would companies change their minds with this kind of feature... Here is the question

Was ist ein Showcase?

Quote from @rcdevs:

Is real-time leak detection the future of password management? What do you think?

No, because it confuses different threats and precautions, putting the latter into a context in which they are not effective.
Checking against known and weak password DBs is primarily a password quality measurement applied during password creation. It can be used for the suggested monitoring purpose, if it is considered that it detects password leaks with the considerable time delay that it takes to collect leaked passwords in the wild, that it should be expected to detect password re-use or mass psychology rather than leakage from the monitored source, and that traded leaked password databases are basically leftovers for which the skilled attacker who initially obtained the database has no further use.

Indeed, if you actually detect a data breach of the monitored source, an ad-hoc rotation (among other means) would counter that. Regular password rotation, on the other hand, is not meant to protect against such data breaches but to counter the time decay in confidentiality that affects passwords which are subject to systematic risk of disclosure, i.e. entered manually. These passwords are usually picked up through shoulder surfing or CCTV and never make it into a database release; and in most cases they are never used for malicious purposes, but with confidentiality as a key requirement for a password, you want to re-establish it from time to time.